PayPal might have misled investors about the existence of a 2017 data breach, but it didn’t knowingly hide the number of customers affected, a federal judge said Dec. 13.

PayPal investors said the internet payments company misled them about a hack that affected 1.6 million customers. But they didn’t sufficiently allege that PayPal knew how many people the breach affected, Judge Edward M. Chen of the U.S. District Court for the Northern District of California said.

The company knew a subsidiary had suffered a breach before it warned investors about the “potential” hack in November 2017, the order dismissing the case said. But it didn’t tell investors a hack had actually occurred until December, according to the order. The investors—who purchased PayPal stock after the warning but before the revelation—said the company misled them about the seriousness of the issue.

PayPal’s share price fell about 5.75 percent after the company’s December announcement that hackers had gained access to the customers data, the investors said.

The complaint sufficiently alleged that PayPal knew there had been an actual breach when it warned investors about a “potential” vulnerability, according to the order. But the investors didn’t provide enough facts to suggest the company knew the full extent of the hack at the time, Chen said.

The investors can still amend their complaint and try again, according to the order.

Chen has heard more than 50 securities cases since he became a district judge in 2011, according to Bloomberg Law Litigation Analytics. He grants motions to dismiss in securities cases about 56 percent of the time and denies them outright just 6.3 percent of the time. This is PayPal’s first appearance before him.

The Rosen Law Firm P.A. and Pomerantz LLP represented the class. Orrick, Herrington & Sutcliffe LLP represented PayPal.

The case is Sgarlata v. PayPal Holdings Inc., N.D. Cal., No. 17-cv-06956, 12/13/18.